Merge branch 'develop'

.github/workflows/ci.yml

@@ -1,6 +1,5 @@
 name: CI/CD
 
-# Trigger the workflow on push or pull request
 on:
   push:
     branches:
@@ -10,40 +9,25 @@ on:
       - alpha
       - '[0-9]+.x'
       - '[0-9]+.[0-9]+.x'
-  pull_request:
 
 jobs:
-  build:
-    name: Build
-    if: "! (github.event_name == 'push' && github.ref == 'refs/heads/master')"
-    runs-on: ubuntu-18.04
+  appinspect-addon:
+    name: AppInspect (Add-on)
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Build Add-on
         id: build-addon
         run: scripts/build.sh -a addon
-      - name: Build App
-        id: build-app
-        run: scripts/build.sh -a app
-      - uses: actions/upload-artifact@v1
-        with:
-          name: SplunkforPaloAltoNetworks-${{ github.run_id }}
-          path: ${{ steps.build-app.outputs.path }}
-      - uses: actions/upload-artifact@v1
+      - name: Save Add-on Build Artifact
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
         with:
           name: Splunk_TA_paloalto-${{ github.run_id }}
           path: ${{ steps.build-addon.outputs.path }}
-
-  appinspect-addon:
-    name: AppInspect (Add-on)
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Build Add-on
-        id: build-addon
-        run: scripts/build.sh -a addon
       - name: AppInspect
         run: scripts/appinspect.sh -a addon -r
         env:
@@ -58,13 +42,21 @@ jobs:
 
   appinspect-app:
     name: AppInspect (App)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Build App
         id: build-app
         run: scripts/build.sh -a app
+      - name: Save App Build Artifact
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
+        with:
+          name: SplunkforPaloAltoNetworks-${{ github.run_id }}
+          path: ${{ steps.build-app.outputs.path }}
       - name: AppInspect
         run: scripts/appinspect.sh -a app -r
         env:
@@ -79,22 +71,74 @@ jobs:
 
   release:
     name: Release
-    if: github.event_name == 'push' && github.ref != 'refs/heads/develop'
+    if: github.ref != 'refs/heads/develop'
     needs: [appinspect-addon, appinspect-app]
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    outputs:
+      new_release_published: ${{ steps.semantic.outputs.new_release_published }}
+      new_release_version: ${{ steps.semantic.outputs.new_release_version }}
+      new_release_channel: ${{ steps.semantic.outputs.new_release_channel }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Create release and publish
-        id: release
-        uses: cycjimmy/semantic-release-action@v2
+        id: semantic
+        uses: cycjimmy/semantic-release-action@v3
         with:
           semantic_version: 17.1.1
           extra_plugins: |
             conventional-changelog-conventionalcommits@^4.4.0
-            @semantic-release/git@^9.0.0
             @semantic-release/exec@^5.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SPLUNK_USER: ${{ secrets.SPLUNK_USER }}
           SPLUNK_PASS: ${{ secrets.SPLUNK_PASS }}
+
+  docker-build:
+    name: Docker Build
+    needs: [release]
+    # When to run, per https://github.com/actions/runner/issues/491#issuecomment-850884422
+    if: always() && (needs.release.result == 'success' || needs.release.result == 'skipped')
+    runs-on: ubuntu-20.04
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository_owner }}/splunk-demo
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Determine docker tags and labels
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
+            type=ref,event=branch
+
+      - name: Set the version in app.conf
+        if: needs.release.result == 'success' && needs.release.outputs.new_release_published == 'true'
+        run: scripts/set-version.sh ${{ needs.release.outputs.new_release_version }} ${{ needs.release.outputs.new_release_channel }}
+
+      - name: Create docker version tag
+        id: versiontag
+        if: needs.release.result == 'success' && needs.release.outputs.new_release_published == 'true'
+        run: echo "::set-output name=versiontag::${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_release_version }}"
+
+      - name: Login to Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: demo/Dockerfile
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+            ${{ steps.versiontag.outputs.versiontag }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/pr-appinspect.yml

@@ -0,0 +1,97 @@
+name: PR App Inspect
+
+on:
+  pull_request_target:
+    branches:
+      - develop
+
+jobs:
+  appinspect-addon:
+    name: AppInspect (Add-on)
+    runs-on: ubuntu-18.04
+    # Remove write permissions
+    permissions:
+      contents: read
+    steps:
+      # Checkout unsafe code
+      - name: Checkout PR
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          persist-credentials: false
+      # Checkout safe code
+      - name: Checkout build scripts
+        uses: actions/checkout@v3
+        with:
+          path: tools
+      # Replace build script in unsafe code with scripts from safe code
+      - name: Setup build scripts
+        run: |
+          rm -rf pr/scripts
+          mv tools/scripts pr
+      - name: Build Add-on
+        id: build-addon
+        working-directory: pr
+        run: scripts/build.sh -a addon
+      - name: Save Add-on Build Artifact
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
+        with:
+          name: Splunk_TA_paloalto-${{ github.run_id }}
+          path: pr/${{ steps.build-addon.outputs.path }}
+      - name: AppInspect
+        working-directory: pr
+        run: scripts/appinspect.sh -a addon -r
+        env:
+          SPLUNK_USER: ${{ secrets.SPLUNK_USER }}
+          SPLUNK_PASS: ${{ secrets.SPLUNK_PASS }}
+      - name: Save report
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
+        with:
+          name: Report-Splunk_TA_paloalto-${{ github.run_id }}.html
+          path: pr/_build/Splunk_TA_paloalto-${{ github.run_id }}.html
+
+  appinspect-app:
+    name: AppInspect (App)
+    runs-on: ubuntu-18.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          persist-credentials: false
+      - name: Checkout build scripts
+        uses: actions/checkout@v3
+        with:
+          path: tools
+      - name: Setup build scripts
+        run: |
+          rm -rf pr/scripts
+          mv tools/scripts pr
+      - name: Build App
+        id: build-app
+        working-directory: pr
+        run: scripts/build.sh -a app
+      - name: Save App Build Artifact
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
+        with:
+          name: SplunkforPaloAltoNetworks-${{ github.run_id }}
+          path: pr/${{ steps.build-app.outputs.path }}
+      - name: AppInspect
+        working-directory: pr
+        run: scripts/appinspect.sh -a app -r
+        env:
+          SPLUNK_USER: ${{ secrets.SPLUNK_USER }}
+          SPLUNK_PASS: ${{ secrets.SPLUNK_PASS }}
+      - name: Save report
+        uses: actions/upload-artifact@v1
+        if: '! cancelled()'
+        with:
+          name: Report-SplunkforPaloAltoNetworks-${{ github.run_id }}.html
+          path: pr/_build/SplunkforPaloAltoNetworks-${{ github.run_id }}.html

CONTRIBUTING.md

@@ -7,7 +7,7 @@
 - [Bug fixes and features](#bug-fixes-and-features)
 - [Test changes in your branch](#test-changes-in-your-branch)
 - [Publish a new release (for maintainers)](#publish-a-new-release-for-maintainers)
-- [CI/CD Sequence diagram](#cicd-sequence-diagram)
+- [CI/CD Release Process](#cicd-release-process)
 
 ## How to contribute
 
@@ -96,10 +96,9 @@ directories and reloads them in Splunk when a change is detected.
 
 ## Publish a new release (for maintainers)
 
-Requires node and semantic-release npm package
-
 ```
 # Test the release process on develop
+# (this requires node and semantic-release npm package)
 semantic-release --dry-run --no-ci --branches=develop
 
 # Verify in the output that the next version is set correctly
@@ -113,24 +112,63 @@ git push origin master
 # At this point, GitHub Actions is testing the release
 # then building it for publication
 
-# There is a manual step here. You'll have to get the build
-# from the GitHub Actions artifacts and publish it on SplunkBase
-# manually. We can automate this when the SplunkBase API is more mature.
-
 # Now, sync your local with the remote to pull the new
-# commits made by the release bot.
-git fetch --all --tags
-git pull origin master
+# tags created in the release process
+git fetch --tags
 git checkout develop
-git merge master
-git push origin develop
 
 # Now you're ready to branch again and work on the next feature.
 ```
 
-## CI/CD Sequence diagram
-
-![Sequence diagram](./.github/cicd-sequence-diagram.svg)
-
-- [Diagram source](./.github/cicd-sequence-diagram.mmd)
-- [CI/CD Workflow yaml](./.github/workflows/ci.yml)
+## CI/CD Release Process
+
+```mermaid
+sequenceDiagram
+  %% This is a mermaid file
+  %% See https://mermaid-js.github.io
+
+  participant G as GitHub
+  participant A as GH Actions
+  participant I as Splunk AppInspect
+  participant S as SplunkBase
+  participant C as GH Container Registry
+  participant K as GCP GKE
+  
+  G-)+A: Push Triggers GitHub Action
+
+  %% AppInspect
+  rect rgb(153,255,170,.2)
+    note left of I: AppInspect
+    A->>+I: Trigger AppInspect of App and Add-on
+    I-->>-A: AppInspect completed
+    A->>+I: Request HTML report
+    I-->>-A: Return HTML report
+  end
+
+  %% Release
+  rect rgb(217,179,255,.2)
+    note left of S: Release
+    A->>A: Determines new version
+    A->>G: Create GH Release w/ release note
+    A->>A: Build App & Add-on w/ incremented version
+    A->>S: Publish release
+    A->>S: Verify publish
+  end
+
+  %% Docker build
+  rect rgb(128,170,255,.2)
+    note left of C: Docker build
+    A->>A: Build docker image
+    A->>-C: Publish docker image
+  end
+  
+  %% Demo server
+  rect rgb(255,221,153,.2)
+    note right of C: Demo server
+    loop weekly
+      K->>+K: Cloud Scheduler triggers Cloud Function
+      K->>C: Pull latest docker demo
+      K->>-K: Restart Demo
+    end
+  end
+```